Is A Security Disaster… And Those Working On It Knew It, And Tried To Stop Independent Security Review To Hide It

from the well-that's-not-at-all-comforting dept

We’ve written before about how problematic the technology is behind the federal website, pointing out that the federal government hired political cronies rather than web development experts to build it. There was an effort to open source the code, but after the feds put the code on github, they removed it after people started pointing out just how bad it was. Then, just about a month ago, we noted that the government turned down a FOIA request from the Associated Press concerning the site’s security practices, arguing that it might “give hackers enough information to break into the service.” As we noted at the time, if revealing the basic security you have in place will give hackers a road map to breaking into the site, the site is not secure at all.

A damning new report from the Goverment Accountability Office (GAO) more or less confirms this is the case. This is further backed up by an even more astounding “Behind the Curtain of the Rollout” released by the House Oversight Committee. To be fair, the GAO is non-partisan and known to be even-handed and fair. That’s not always the case with Congressional committee reports. Still, the two are worth reading together. The level of mess behind the project is rather astounding and it appears that the site still is not particularly secure, which obviously explains the refusal to do that FOIA release.

Here’s the GAO basic summary of the security situation for the site:

While CMS has taken steps to protect the security and privacy of data processed
and maintained by the complex set of systems and interconnections that support, weaknesses remain both in the processes used for managing
information security and privacy as well as the technical implementation of IT
security controls. CMS took many steps to protect security and privacy, including
developing required security program policies and procedures, establishing
interconnection security agreements with its federal and commercial partners,
and instituting required privacy protections. However, had
weaknesses when it was first deployed, including incomplete security plans and
privacy documentation, incomplete security tests, and the lack of an alternate
processing site to avoid major service disruptions. While CMS has taken steps to
address some of these weaknesses, it has not yet fully mitigated all of them. In
addition, GAO identified weaknesses in the technical controls protecting the
confidentiality, integrity, and availability of the FFM. Specifically, CMS had not:
always required or enforced strong password controls, adequately restricted
access to the Internet, consistently implemented software patches, and properly
configured an administrative network. An important reason that all of these
weaknesses occurred and some remain is that CMS did not and has not yet
ensured a shared understanding of how security was implemented for the FFM
among all entities involved in its development. Until these weaknesses are fully
addressed, increased and unnecessary risks remain of unauthorized access,
disclosure, or modification of the information collected and maintained by and related systems, and the disruption of service provided by
the systems.

That failure to restrict access to the internet was for test servers, one of which got infected with malware recently.

But the really damning story is that CMS, the Centers for Medicare and Medicaid Services, which was in charge of the product, seemed totally incompetent throughout this process — and directly chose to kill off an independent security review by MITRE, knowing the results would be bad and that they might get out:

Once MITRE completed their September Security Assessment, Mr. Schankweiler?s FFM
development team was unhappy with the report and sought to have it changed. On September
26, 2013, Darren Lyles, one of the IT security officials assigned to the FFM development team,
wrote Ms. Fryer:

The Draft SCA [security control assessment] Report has been called into question
by CGI [primary contractor building the FFM] and CIISG [Consumer Information
Insurance Group, the team within CMS that works with contractors to develop the
FFM and other components] Stakeholders. There are assertions
made in the report that are deemed to be erroneous and misrepresentative of what
actually occurred. I have attached the report that has been commented on by CGI
and would like to submit this for your review.

Michael Mellor, Ms. Fryer?s deputy, responded to Mr. Lyles: ?Keep in mind ? that the purpose
of the SCA is to provide an independent assessment of the security posture of a system. As part
of that independent assessment, the maintainer of the system likely will not agree with all of the
findings and the SCA report.?

Mr. Schankweiler, Mr. Lyles? superior, then responded to Mr. Mellor, insisting that the
report should be reviewed by senior CMS officials and worried the report would be seen by
others outside CMS: ?We need to hit the pause button on this report and have an internal meeting
about it later next week. It is important to look at this within the context of the decision memos
and ATO memo that is going up for Tony [Trenkle, CMS Chief Information Officer] and
Michelle [Snyder, CMS Chief Operating Officer] to sign.? Mr. Schankweiler then wrote the
report was ?only partially accurate, and extremely opinionated, false, misrepresentative, and
inflammatory.? Mr. Schankweiller noted that ?It is very possible that this report will be
reviewed at some point by OIG, and could see the light of day in other ways.? Mr.
Schankweiler offered to ?look at the report from the government perspective and provide …

On October 7, 2013, the lead security tester for MITRE, Milton Shomo, wrote Jane Kim,
a CMS official on Ms. Fryer?s EISG team, ?CCIIO [Centers for Consumer Information and
Insurance Oversight, one of the divisions at CMS responsible for running the exchange] and CGI
Federal had some issues with some of the information in our Marketplace ? draft SCA report
from the assessment we did in August and September. MITRE stands behind everything in our
report as an accurate description of the assessment

There were a number of other similar problems, but it becomes clear that choices were made for political reasons, rather than technological or security reasons.

Filed Under: , , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “ Is A Security Disaster… And Those Working On It Knew It, And Tried To Stop Independent Security Review To Hide It”

Subscribe: RSS Leave a comment

Re: Re:

Numerous security people were “sounding the bell” well before the idiotic GOA put out it’s report.

Example of a few:

John McAfee on Obamacare: ?This is a hacker?s wet dream?

No security ever built into Obamacare site: Hacker

Postal Address Bug

At least in West Virginia, the system seems to have a bug which causes it to suppress apartment numbers in customer addresses, both those in communications from the exchange to consumers, and in the information passed on to insurance companies. As you might imagine, this is productive of some confusion, especially for people who live in large apartment buildings.

I am in a moderately large building (18 units), but I get the various notices only because the regular postman knows me by name and sight. Sometimes, things are delayed, as if the relief postman didn’t know what to do with them, and left them for the regular postman to handle.

I don’t know about the website, per se. I have avoided using it, and have, instead, resorted to the telephone number. The clerks are of course using the website itself, but they have hopefully become experienced with its peculiarities.

John Fendersonsays:

Re: Re: Deleting emails, again?

“Yeah, that’s kind of against the rules”

Is it?

In the private sector, companies that have a duty to retain emails do so with a special server and don’t rely on the sender or recipient of the email to do the retention. They can delete anything they like, but compliance is maintained nonetheless.

I would hope (against hope) that government agencies ensure compliance in a similar way.


Re: Re: Re: Re: Deleting emails, again?

You would hope so, yes, but apparently not.

However, this practice was not followed consistently and some emails were lost as a result. While some responsive emails sent within HHS might be retrievable, CMS admitted that ?[w]hile we have not identified any specific emails that we will be unable to retrieve, it is possible that some emails may not be available to HHS.?

They know they don’t have all the emails. They don’t know exactly how many were lost or what was in them, because, well, they’re lost.

John Fendersonsays:

Re: Re: Re: Re: Re: Re: Deleting emails, again?

Yeah, I know. It appears that the email retention plan on the part of at least some agencies is pretty flawed. The first warning sign? That people have been using their private emails for official business to avoid retention policies. Where I work, you’d be fired immediately for doing that.


Re: Re: Re:2 Re: Re: Re: Re: Deleting emails, again?

It’s a warning sign, yes, but I wouldn’t institute a zero-tolerance policy. In the report, some people were using private email accounts, not to avoid retention policies, but so they could sneak out information to people who were supposed to be providing oversight but were being stonewalled.

“CMS officials developing the exchange refused to share vital information with senior IT officials at HHS, even while communicating directly with White House officials. Left out of the loop, HHS officials resorted to using informants within CMS to obtain crucial information, often communicating over private email.”


And they actually contemplated faking documents:

Mr. Linares then suggested creating a standard-looking ATO form, backdated to the date of the Decision Memo so that this document would appear to be the document certifying the exchange to go-live on October 1, even though that document did not exist.

If this kind of thing is in emails that weren’t deleted, I can’t imagine what was in the emails that were deleted.


Re: Re:

This isn’t a bad idea, but it does presume that people with that skillset would actually agree to work on the site AND that the people would in charge would listen to them.

And as we’ve seen, large organizations don’t tend to do that: case in point, Home Depot:

I live near DC. I’ve done security work — rather a lot of it. I have a decent skillset corresponding to a subset of that required to secure a site like this. And there is NO WAY IN HELL I would agree to work on it because it’s obvious on inspection that doing so would be fast-tracking myself to hell. The management of this project is completely concerned with schedule and doesn’t give a damn about security, so anyone raising security concerns is likely to be ostracized, blamed, sidelined, ignored, anything but paid attention to. Why would I want to sign up for that?

I’ll give my one piece of consulting advice here, and for free: folks, every system involved in this effort should be completely blocked (outbound) by two layers of firewalls running two completely different stacks (hardware, OS, software) except for carefully-enumerated known destinations specified by IP/port/protocol and traffic to those destinations should be pushed through sanitizing, logging proxies and someone should be reading those logs and this entire setup should be reviewed once a week to make sure that the enumerated list is still current and doesn’t include anything that it shouldn’t. (That’s not everything, but it’s a start, and well, I did say it was free.)


This is old news on the security disaster. When Obamacare failed in its implementation, a committee was set up to investigate the causes. One of them was a near total lack of security put into the program. This was ignored and buried so that news of an army of fixers were in the process of getting Obamacare on line so it would work. No mentions of the security issues surfaced again until recently.

You can’t just add security into the program after the fact. It has to be built in from the ground up or there will be all sorts of holes in it. No one is wanting to go back and fix it for security issues.

I did not sign up for Obamacare for this main reason. I caught it when it was reported the first time and made very suspicious of it when it failed to become a main agenda priority. All got very quiet on that aspect. That means someone knew and purposely was covering it up. There’s only one reason to do that.


You know, I went into this ready to be slightly sympathetic to the Department of Health on this one. These reports are kind of a double-edged sword; I fully appreciate the need to hold contractors to account for sloppy work, but at the same time I can’t help but think that putting a detailed report on their fuck-ups in the public domain runs the risk of giving the black-hats ideas.

But on this occasion, I think we’ve gone a bit past that stage.

Anonymous Howardsays:

Re: Re:

Any serious deployment would be preceded by a lengthy public beta testing phase, where the source code would be published and said black hats would be rewarded lavishly for every found and reported security flaw in the system.

This is, of course, not the case with cronies producing low quality software for outrageous prices.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Report this ad??|??Hide Techdirt ads
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Older Stuff
12:25 Australian Privacy Commissioner Says 7-Eleven Broke Privacy Laws By Scanning Customers' Faces At Survey Kiosks (6)
10:50 Missouri Governor Doubles Down On 'View Source' Hacking Claim; PAC Now Fundraising Over This Bizarrely Stupid Claim (45)
10:45 Daily Deal: The All-in-One Microsoft, Cybersecurity, And Python Exam Prep Training Bundle (0)
09:43 Want To Understand Why U.S. Broadband Sucks? Look At Frontier Communications In Wisconsin, West Virginia (8)
05:36 Massachusetts College Decides Criticizing The Chinese Government Is Hate Speech, Suspends Conservative Student Group (71)
19:57 Le Tigre Sues Barry Mann To Stop Copyright Threats Over Song, Lights Barry Mann On Fire As Well (21)
16:07 Court Says City Of Baltimore's 'Heckler's Veto' Of An Anti-Catholic Rally Violates The First Amendment (15)
13:37 Two Years Later, Judge Finally Realizes That A CDN Provider Is Not Liable For Copyright Infringement On Websites (21)
12:19 Chicago Court Gets Its Prior Restraint On, Tells Police Union Head To STFU About City's Vaccine Mandate (158)
10:55 Verizon 'Visible' Wireless Accounts Hacked, Exploited To Buy New iPhones (8)
10:50 Daily Deal: The MacOS 11 Course (0)
07:55 Suing Social Media Sites Over Acts Of Terrorism Continues To Be A Losing Bet, As 11th Circuit Dumps Another Flawed Lawsuit (11)
02:51 Trump Announces His Own Social Network, 'Truth Social,' Which Says It Can Kick Off Users For Any Reason (And Already Is) (100)
19:51 Facebook AI Moderation Continues To Suck Because Moderation At Scale Is Impossible (26)
16:12 Content Moderation Case Studies: Snapchat Disables GIPHY Integration After Racist 'Sticker' Is Discovered (2018) (11)
13:54 Arlo Makes Live Customer Service A Luxury Option (8)
12:05 Delta Proudly Announces Its Participation In The DHS's Expanded Biometric Collection Program (5)
11:03 LinkedIn (Mostly) Exits China, Citing Escalating Demands For Censorship (14)
10:57 Daily Deal: The Python, Git, And YAML Bundle (0)
09:37 British Telecom Wants Netflix To Pay A Tax Simply Because Squid Game Is Popular (32)
06:41 Report: Client-Side Scanning Is An Insecure Nightmare Just Waiting To Be Exploited By Governments (35)
20:38 MLB In Talks To Offer Streaming For All Teams' Home Games In-Market Even Without A Cable Subscription (10)
15:55 Appeals Court Says Couple's Lawsuit Over Bogus Vehicle Forfeiture Can Continue (15)
13:30 Techdirt Podcast Episode 301: Scarcity, Abundance & NFTs (0)
12:03 Hollywood Is Betting On Filtering Mandates, But Working Copyright Algorithms Simply Don't Exist (66)
10:45 Introducing The Techdirt Insider Discord (4)
10:40 Daily Deal: The Dynamic 2021 DevOps Training Bundle (0)
09:29 Criminalizing Teens' Google Searches Is Just How The UK's Anti-Cybercrime Programs Roll (19)
06:29 Canon Sued For Disabling Printer Scanners When Devices Run Out Of Ink (41)
20:51 Copyright Law Discriminating Against The Blind Finally Struck Down By Court In South Africa (7)
More arrow